We apologize for the instability of composr.app and appreciate your patience. We are working on the statistics addon and trying to find an optimal way to store and render data. Unfortunately, we have yet to find a solution that can handle the traffic (and therefore, tens of millions of statistical records) of composr.app. We're working hard on one.
#5079 - Add additional admin session security / confirmation for sensitive member actions
Patrick and I have discussed, and this basically is happening already in the sense sessions must be confirmed to use the Admin Zone or to edit/delete members. I am going to clean up that code a bit though as it's not formalised enough IMO.
However, through discussion with Patrick some more specific ideas came up, so I'll post these as new issues.
The more I thought about this, the more I realised it is a thorny issue to do anything radical and yet there were some tweaks we could do that got us to a similar place, effectively.
Problems:
1) It would be slavish to forcibly give member detail lookup more security than say, the zone editor, or anything that could cause massive havoc to totally destroy a site.
2) ... so we'd need proper configurability. But trying to implement a way of manually configuring different kind of session confirmation timeouts for different areas would be like creating an entirely new parallel privileges system, a massive effort.
3) It's a lot easier said than done forcing re-login. What if login is automatic via LDAP? What if it is through oAuth? What if login is 2FA (looking ahead here), do we force a full 2FA step to do stuff? Does that become configurable?
So instead, I think it's best to just bolster the existing system of forcing confirmed sessions and applying reasonable privileges.
I made these main changes:
1) Forced "view_any_profile_field" for member export (i.e. on top of normal Admin Zone access)
2) Forced "member_maintenance" for member import (FYI "assume_any_member" was already needed for importing usergroup changes)
3) Adjusted the Setup Wizard's high security profile to timeout sessions in 20 mins, and medium to 1 hour (which is the default pre-Setup Wizard anyway); this reduces the core issue of an admin confirming a session and then leaving their desk long enough for a sneak to mess with their machine
4) Only put password in exported spreadsheet if "assume_any_member" privilege
5) Fix session confirmation requirement for member account editing/deleting (was broken!)
6) Prevent AJAX scripts (etc) from bumping session timeout; we don't want an admin's machine to be left on and the notification poller (for example) to keep the session alive forever
7) Changed viewing member e-mail addresses to use the view_any_profile_field privilege not the member_maintenance privilege (for consistency)
However, through discussion with Patrick some more specific ideas came up, so I'll post these as new issues.
Problems:
1) It would be slavish to forcibly give member detail lookup more security than say, the zone editor, or anything that could cause massive havoc to totally destroy a site.
2) ... so we'd need proper configurability. But trying to implement a way of manually configuring different kind of session confirmation timeouts for different areas would be like creating an entirely new parallel privileges system, a massive effort.
3) It's a lot easier said than done forcing re-login. What if login is automatic via LDAP? What if it is through oAuth? What if login is 2FA (looking ahead here), do we force a full 2FA step to do stuff? Does that become configurable?
So instead, I think it's best to just bolster the existing system of forcing confirmed sessions and applying reasonable privileges.
I made these main changes:
1) Forced "view_any_profile_field" for member export (i.e. on top of normal Admin Zone access)
2) Forced "member_maintenance" for member import (FYI "assume_any_member" was already needed for importing usergroup changes)
3) Adjusted the Setup Wizard's high security profile to timeout sessions in 20 mins, and medium to 1 hour (which is the default pre-Setup Wizard anyway); this reduces the core issue of an admin confirming a session and then leaving their desk long enough for a sneak to mess with their machine
4) Only put password in exported spreadsheet if "assume_any_member" privilege
5) Fix session confirmation requirement for member account editing/deleting (was broken!)
6) Prevent AJAX scripts (etc) from bumping session timeout; we don't want an admin's machine to be left on and the notification poller (for example) to keep the session alive forever
7) Changed viewing member e-mail addresses to use the view_any_profile_field privilege not the member_maintenance privilege (for consistency)